Technical Analysis of Copybara

Aug. 22, 2024, 6:52 p.m.

Description

This report presents a comprehensive technical analysis of a newly discovered variant of the Copybara Android malware. The malware, which emerged in November 2021, is primarily spread through voice phishing attacks. It utilizes the MQTT protocol for command-and-control communication and abuses Android's Accessibility Service to exert control over infected devices. The malware downloads phishing pages mimicking cryptocurrency exchanges and financial institutions to steal user credentials. The analysis covers 59 supported commands with detailed functionality descriptions, providing valuable insights into the malware's capabilities.

External References

https://www.zscaler.com/blogs/security-research/technical-analysis-copybara
https://otx.alienvault.com/pulse/66c7807a25c0da4218ce424c
Tags
android
2024-08-22
copybara

Date

  • Created: Aug. 22, 2024, 6:16 p.m.
  • Published: Aug. 22, 2024, 6:16 p.m.
  • Modified: Aug. 22, 2024, 6:52 p.m.

Indicators

  • f91fd4f9b6594446144ba865356fde07669ea0b46a62ddd926bb8cac0aa04dc9
  • f6975b1a9ab8935d45d6c2d94540b67b2374827734593c126785924afffb6634
  • f703f31f7b9ef95f820a724ebcee36377e2f4a42c92756b819bea6f34ec96cac
  • eb779ec4ed2c85e114a18db89b8ef9c7a19adc907748d1f18076e167f79bf04b
  • eb1f89b2edaeda18023a6ea5cd7a4b2997e4839e1f3d57e54c5b7a1b64407874
  • e82b0023abcc4bdb549f319389620c4cbd8ffabe8648168db31db62fd84a6904
  • e57565bd3f398508321470f857dfb07c195ed9b7b494ba00dc7c407ac8b8f3e1
  • e3875e3b20be42f38f457cf0b0d85683535472b47535635ec42da52b73b27e6e
  • e328dde9fa6db3da195e813696973657cc4fe636601cb0061a75c5086b04aa95
  • e097bb08da761ae5780e6c600c79738e36285a59589098dde53c88611c1ac66a
  • de242d9428a378a1b0dacb2e8d481fdfb062a47450f815c13e105975d5a41663
  • d887be78f443fabeb348ac2f85e1d42ed4d1c2cfc87d9e314c4b812c0b1fcfd8
  • d852f48e1c8a37d11f9dfb90f339316a5a3fa012bf152db43de1e81b45a69ba7
  • d23ef9fe27b116d982f8ebafb99587ffc9cc6c9b932f1b2d5efab2dad156e65e
  • cad56908abd1508451a5af4a5304de092f0342ec6a24bbbeb9b3988683483c84
  • c8c73080a2eb18ad1434ac408e916f3f819637550dfe07f20ad79e66ec1b2cf9
  • c32eb3b850a20e4715a6db40635de9fc6cefad840ce7e64e9c68c2b3e378ee7e
  • bff6fb5cbb1c0f8d05e2c6acefcf499a9c22f10d7db8aeda994638bf75018fbf
  • bcae6ea26fe1dd1fa5652e05c1b888186307ad277ce238a255908061b837a484
  • b99fc0a9eea993d6b5a04b0a0b05fe103f164fb85281fcddb04ac686daee065f
  • b5c206d8f980c8fa12a29886fad49f6a1469264055740cdf763efa7f726cd8d7
  • b4379324c7dc1fc623bcd9d2e8099dc3588ac23f87f33151d1c1005a1f33e713
  • b217e4f8143a6fbbad2e0667ce8242fc207274a78ce464af9b122df8ba12690b
  • b1b6a2d91e6fcc07322edce92aa75c13763b6844b2a1a549eeaf0f536bdc6183
  • b009ad0ed336f1e4bff3f452e238b3ea83d3bc7773f52d16d057298c116a95ea
  • ad1182d8bf3b1976e09f45b91085167559bc24e8f5e3f7315f96f344532cbcf8
  • afa3c43141a5b6f2473d49cdfa0bce1bf0af235a40f3ec092299287291137841
  • ab85b62cad1a4009bf99c621b4950ee23c413b5c424952f225497bca7a318a99
  • a8cc088426c6406f03ccedbb854e8dc83543d38c98a405db15074e9531731ade
  • a46537ccf4a188091f973a47b7186ee805539a0e5d94c62867cec08cec1c33e6
  • a1a1fbdb6070ff388642974b1616d1955c2a89fbb8702caa02fa6927adbdad6c
  • 9f693923e5641c046bdcadf10b4e2b553d078b98afc2e30f2d72660b1e0161ed
  • 9c136701362e2d661805257c02e23c9aa01b9081e1a559571f947390522fc51b
  • 9b204f839aed79d4c27f8d28198ef596dec9848a27a51f0672743a91e618677c
  • 989cf5faf307304f86db03180978ba4bd93c909bb458db83fcebe4fb48d7a002
  • 9830b91dfcf987a2556afd85893f8569c6ba03e3ebb194ecb6b32dafbc22e1e1
  • 9762eba15b893609b9461125c5adbcaf3bac7fea9536ffca72566abfa1bed084
  • 91fda73902e1a2a76b999df11caa4532c9c440d6f3da63dc03e0a78109d7583a
  • 8bbb6cd5277177beb86b037ef77d6fcbae4a51a19668063d4d1b40ce2453dad3
  • 8a2f6ff8aa1a6b416cb0aaa1530a8178c53760a69ce5c14d1d16ee880c335a4f
  • 8b05684a73f44ed82c0faf424b2d41a0c7b00c2fef4d7dc232c5433739a59f6c
  • 878bb68727daf025c0c9619d1d12337c289489f1190410ca4025c47f39357aa5
  • 85901707c7d058269820671e10af027eeadd39ee15f079cff340eed0f0ac9c2e
  • 868ce8fa932c46b6de18455dfc0935a75029cc10c7b484bc358cdfabf0b0c533
  • 7ffbc88e97be67214ad17325142ceb54823a5bdcebdbd4e4c9d0c65b3f0a1813
  • 7fa3d58a0056e8492a84894a6fd3b3d0d87ff1f9656f5e54b10580b9a4a4fd6a
  • 7b3262b6c3ad52e50e2ec6faf1ffb12ca08f0d17ac4f90420f13a6053b7f9622
  • 7a165645df48f6bde0fd5939a3e15d160826d944e603c34d46a7285f02f0941e
  • 790b166081fd763cc6239881a78ba5c4d757b8f98d1b5d5f7abfdede76f54c05
  • 767e4c42cefc4a29921f612f14611cf56b7d950ba91ccdd3a59adb57f25b7d18
  • 731a58248c7b467bc9d9a7482d8cb010242b3a534904ddc39471fa0620752d22
  • 6bc1ac4f844a6940c9e083c32bbf3f469b1322cc5aa83e12ab1a7f35cdb51c23
  • 6da8e49d8e083ec705985effa03cdb60cdd736f04ed711211b2a3842c815a708
  • 5bc6f1986a6e794e8feb78c763fef5f8cbb59f3696daa468aba058fb79befbf0
  • 6b15d8508e6782c25dc48618bbbe9b53c8c9a822655a8e52b7370e034fae7564
  • 4daf21a708afc06c0da4ee6e192a6db6405efb1e3a9eb6905cc69d501e781c8b
  • 4b43f7145eebe4c07d208911b9d74c7c996a5037a04d52e4c38a80c2456d1187
  • 472feeabc60fdcc87345574586a7599ead1625c94bf75f373e9086b4a6cfedbe
  • 447c387fca23aea2b0b78f1cf9ee1c369078196fe3c3051bb99309268d4a9f79
  • 41b61acc644add0a40ec6dbda231ae41f9de478fbf8cc029bc89d95a2829a53e
  • 40df5d874ed86aa65454d3d7becc334b7ca2dcb11754f9131135071a98752691
  • 376ff4dbea2e3570a5cb98a8b335c0503d050fecd7bb4f65d252b1b596d14fc7
  • 2d5e80f752608faa23f05e6558a695fcac261d78b9979d6746dc11dc995665e3
  • 2a5d05a6bfb3a73a91d88c15384c9b384d9309e8db0ed4e348d1a85d0f6729db
  • 2a1118c91d97a34e06344191eff546c062f81ccf58a7fa7bf1ec206a42d36c2b
  • 28323f93a6657363a0637341358303485d2cf240995457fc8393fb6b74f10d30
  • 29e642ef6bd41f343f66210e924724bb343432affd1ed25bf386d638ae79ee87
  • 24a58d1168d02009c97095e75387765e63b320a0dde1f8a9a7c8e3689a3f6dfb
  • 230f3d74004fee235055e786aba413abff2ed5cf4faa1987a070493be28c75d1
  • 22988cbb286f387036ced6fca6bb72b9f5e326706ad99065bc04bb8cb5dc4a12
  • 22046aaef8a6439d1f5f2980b4d6282e7b69e98c95a0f52010d8953f0cb5e736
  • 1a3e682c924edc1dc0a525f7f1c3e2534cb2945dfaf5bad52089592d216c6c7b
  • 1487cfbb6d702b8b2cfa88a6d586c092cdfbb472274ff54f894df35edd2f9d3e
  • 19e74d9f5649e9180b2b32b95c654e7fe448d989a44c15c9b3c245fa3150df5a
  • 13b904ed2391fed303979b8b8fe0ac72a356cab091057600237fc8ac784db82a
  • 136efade44da726858480a9b56aab5a9509e7c04b71fec08e9b779c069632d8c
  • 11470b5107f563c19ab92929a0e0ee5cf1b0c95fdd146f69ff9f9d4123f908cb
  • 0280536885bb406bc8cd90631bb48ddd809dcf16ecfb5acdc2e75c40171a63af
  • 01b0e9cb7e864e753261b94e3e652254968d8188562a5abfc240d19fa783bc5f
  • 46.249.35.219
  • 213.109.192.177
  • 213.109.147.35
  • 212.237.217.111
  • 193.31.41.93
  • 193.3.19.37
  • 176.126.113.210
  • 159.100.20.184
  • 176.124.32.39
  • 159.100.13.181
  • 146.19.143.42
  • 146.103.41.28
  • 80.251.153.96
  • 194.99.22.182
  • scarica-app.site
  • scarica-app.icu
  • scarica-app-token.com
  • la-nuova-app.cc
  • la-mia-app.com
  • generali-verifica.com
  • installa-app.com
  • entrar-y-confirmar.com
  • enlace-cliente.com
  • descarga-app-sign.com
  • datos-cliente.com
  • clienti-dati.com
  • clienti-verifica.com
  • descargar-e-instalar.com
Download all indicators here!

Attack Patterns

  • Copybara
  • T1600.001
  • T1592.001
  • T1600
  • T1592.002
  • T1548.002
  • T1537
  • T1583
  • T1548
  • T1530
  • T1497
  • T1518.001
  • T1518
  • T1496
  • T1498
  • T1592